Add user authentication with registration and login

[yadavchiragg]

Overview

Implements complete user authentication system with registration, login, and session management. Integrates security module and database models.

Changes

🔐 Flask Application (app.py)

• Registration endpoint (/register) with validation
• Login endpoint (/login) with session creation
• Logout endpoint (/logout) with session clearing
• Dashboard (/dashboard) for logged-in users
• Flash messages for user feedback
• Database initialization on startup

🎨 HTML Templates (templates/)

• base.html - Base template with navigation and styling
• index.html - Home page with feature overview
• register.html - User registration form
• login.html - User login form
• dashboard.html - User dashboard with account info

🗄️ Database Integration

• User model with email, password_hash, role, created_at
• SQLite database for local development
• Automatic table creation on app startup
• Role-based user types (patient, social_worker, admin)

🔒 Security Integration

• Password hashing via PasswordManager (bcrypt)
• Email validation via Validator
• Password strength enforcement (8+ chars, upper, lower, digit, special)
• XSS prevention in user inputs
• Session-based authentication

🧪 Testing (tests/test_auth_routes.py)

• 11 comprehensive tests covering:
  • Page loading (index, register, login)
  • Successful registration
  • Duplicate email prevention
  • Password mismatch detection
  • Weak password rejection
  • Successful login
  • Invalid credentials handling
  • Dashboard access control
  • Logout functionality

Features Implemented

✅ User Registration

• Email validation (RFC 5322 format)
• Password strength validation
• Duplicate email prevention
• Automatic password hashing
• Default role assignment (patient)
• Success/error flash messages

✅ User Login

• Email/password authentication
• Password verification with bcrypt
• Session creation with user ID, email, role
• Secure session management
• Login required redirect

✅ User Dashboard

• Display user information
• Show account creation date
• Role display
• Protected route (login required)

✅ Session Management

• Flask session-based authentication
• User ID stored in session
• Automatic logout functionality
• Session clearing on logout

Testing Results

$ python -m pytest tests/test_auth_routes.py -v
======================== test session starts =========================
collected 11 items

tests/test_auth_routes.py::test_index_page PASSED                    [  9%]
tests/test_auth_routes.py::test_register_page_get PASSED             [ 18%]
tests/test_auth_routes.py::test_register_success PASSED              [ 27%]
tests/test_auth_routes.py::test_register_duplicate_email PASSED      [ 36%]
tests/test_auth_routes.py::test_register_password_mismatch PASSED    [ 45%]
tests/test_auth_routes.py::test_register_weak_password PASSED        [ 54%]
tests/test_auth_routes.py::test_login_page_get PASSED                [ 63%]
tests/test_auth_routes.py::test_login_success PASSED                 [ 72%]
tests/test_auth_routes.py::test_login_invalid_credentials PASSED     [ 81%]
tests/test_auth_routes.py::test_dashboard_requires_login PASSED      [ 90%]
tests/test_auth_routes.py::test_logout PASSED                        [100%]

======================== 11 passed in 2.45s ==========================

All tests passing! ✅

User Flow

Registration Flow

1. User visits /register
2. Enters email and password
3. System validates email format
4. System checks password strength
5. System checks for duplicate email
6. Password hashed with bcrypt
7. User created in database
8. Redirected to login page

Login Flow

1. User visits /login
2. Enters email and password
3. System finds user by email
4. Password verified with bcrypt
5. Session created with user data
6. Redirected to dashboard

Dashboard Access

1. User must be logged in
2. Session checked for user_id
3. User data fetched from database
4. Dashboard displays user information

UI/UX Features

• Clean, modern design with minimal styling
• Responsive layout works on all devices
• Clear navigation in header
• Flash messages for user feedback (success/error)
• Form validation with helpful error messages
• Password requirements displayed on registration page
• Secure password input (hidden characters)

Security Considerations

Implemented

• ✅ Bcrypt password hashing (cost factor 12)
• ✅ Password strength enforcement
• ✅ Email format validation
• ✅ Session-based authentication
• ✅ SQL injection prevention (SQLAlchemy)
• ✅ XSS prevention (input validation)

For Production

• Use environment variables for SECRET_KEY
• Enable HTTPS only
• Add rate limiting for login attempts
• Implement CSRF tokens
• Add email verification
• Use secure session cookies

Database Schema

users
├── id (PRIMARY KEY)
├── email (UNIQUE, INDEXED)
├── password_hash
├── role (ENUM: patient, social_worker, admin)
└── created_at (TIMESTAMP)

Dependencies

All from previous PRs:

• Flask==3.0.0
• Flask-SQLAlchemy==3.1.1
• bcrypt==4.1.2
• Werkzeug==3.0.0

Manual Testing

Can be tested locally:

# Run application
python app.py

# Visit http://localhost:5000
# 1. Register new account
# 2. Login with credentials
# 3. View dashboard
# 4. Logout

Integration

This PR integrates:

• PR Docs: Add Contributing Guidelines and Code of Conduct #3 - Security module (PasswordManager, Validator)
• PR Adding Authentication and Authorization,RBAC, Creating Basic User and admin page,Image Upload feature #2 - Database models (User, UserRole)

Next Steps

This PR enables:

• PR Planning to contribute regularly - GSoC 2026 hopeful. #5: Image upload functionality
• PR Add initial project structure and development setup #6: Narrative management
• PR Ideas to discuss for GSoC 2026 #7: Admin dashboard
• PR PoC: Flask + MongoDB + Docker Architecture (Single Command Install) #8: Social worker features

Related to GSoC 2026 Requirements

Addresses:

• ✅ "Email-based signups" - Implemented with validation
• ✅ "Simple username and password" - Email + password auth
• ✅ "Straightforward login" - Single-page login form
• ✅ "The system should be secure" - Bcrypt hashing, validation
• ✅ User roles for patients, social workers, admins

Checklist

• All authentication routes implemented
• 11 comprehensive tests passing
• HTML templates created with responsive design
• Security integration (password hashing, validation)
• Database integration (User model)
• Session management working
• Flash messages for user feedback
• Login required protection on dashboard
• No hardcoded secrets (uses environment variable)
• Ready for code review

[gemini-code-assist]

Summary of Changes

Hello @yadavchiragg, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request establishes the foundational user authentication system for the Behavioral Health Vault (BHV) application. It provides secure mechanisms for users to register, log in, and manage their sessions, laying the groundwork for personalized user experiences and protected access to features. The implementation leverages existing security and database modules, ensuring a robust and scalable foundation for future development.

Highlights

• User Authentication System: Implemented a complete user authentication system including registration, login, and logout functionalities with robust session management.
• Secure Password Handling: Integrated a dedicated PasswordManager for bcrypt hashing, verification, and comprehensive password strength validation, ensuring secure credential storage.
• Database Integration: Introduced a User model with fields for email, hashed password, and user roles (patient, social_worker, admin), stored in an SQLite database, and managed via SQLAlchemy.
• Frontend User Experience: Developed new HTML templates for registration, login, and a user dashboard, along with a base template providing consistent navigation and flash message display.
• Comprehensive Testing: Added 11 Pytest cases that thoroughly cover all authentication flows, including successful operations, error handling, and security-related scenarios.
• Security Best Practices: Incorporated email validation, XSS prevention, and secure session management to enhance the overall security posture of the application.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[yadavchiragg]

Hey @pradeeban and @mdxabu!

I've built the complete user authentication system for BHV! This integrates the security module from PR #3 with a full Flask application.

What's working:

✅ User Registration - Email validation, password strength checking, duplicate prevention

✅ User Login - Secure bcrypt authentication with session management

✅ Dashboard - Protected route showing user information

✅ All 11 tests passing - Registration, login, logout, access control

The authentication system uses the PasswordManager and Validator from PR #3 for secure password hashing and input validation. I've also created clean, responsive HTML templates that work on all devices.

Users can now:

• Register with email and strong password
• Login securely with session creation
• Access their personal dashboard
• Logout to clear session

This sets up the foundation for image uploads, narratives, and admin features in future PRs!

Ready for review. Happy to make adjustments!

[gemini-code-assist]

Code Review

This pull request introduces a comprehensive user authentication system, including registration, login, and session management. The implementation is well-structured, separating concerns into models, security utilities, and Flask routes. The use of bcrypt for password hashing and the inclusion of a thorough test suite are commendable.

My review focuses on several key areas for improvement:

• Security: Strengthening the application against potential vulnerabilities, such as insecure default configurations and incomplete input sanitization.
• Maintainability: Reducing code duplication and hardcoded values to make future updates easier.
• Robustness: Improving error handling and test assertions to make the system more reliable and easier to debug.

Overall, this is a solid foundation for the application's authentication system. Addressing the feedback will enhance its security and long-term maintainability.

[gemini-code-assist]

Using regular expressions to sanitize HTML is a common source of Cross-Site Scripting (XSS) vulnerabilities, as they can often be bypassed with encoded or malformed input. It is strongly recommended to use a dedicated, well-vetted library like bleach for this purpose to ensure user-provided content is safely rendered.

[pradeeban]

@yadavchiragg pls note the bot comments above.

[yadavchiragg]

@pradeeban Ok Sir, I'll fix this as soon as possible.